At some point in the past, I attended a Sun security-themed Thang in Los Angeles (small group).
The presenter was talking about a Solaris PAM integration with LDAP auth right before the break for lunch. The auth was done via a "query-username-and-password-strings-from-LDAP-and-compare-locally" method. I pointed out some issues with that - needing a privileged account for the query since the password LDAP attribute is usually protected, password hash on the wire (l0pht was a thing by then, so it felt wrong to sling those around), couple of others.
To their credit, I spent the lunch break with a couple of their engineers in front of a whiteboard working through a 'bind[1]-as-user-to-auth' mechanism instead. I'd like to think this helped their PAM LDAP module become more secure.
The presenter was talking about a Solaris PAM integration with LDAP auth right before the break for lunch. The auth was done via a "query-username-and-password-strings-from-LDAP-and-compare-locally" method. I pointed out some issues with that - needing a privileged account for the query since the password LDAP attribute is usually protected, password hash on the wire (l0pht was a thing by then, so it felt wrong to sling those around), couple of others.
To their credit, I spent the lunch break with a couple of their engineers in front of a whiteboard working through a 'bind[1]-as-user-to-auth' mechanism instead. I'd like to think this helped their PAM LDAP module become more secure.
[1] https://ldap.com/the-ldap-bind-operation/